How does a data breach arise?
A data breach can occur as a result of a security vulnerability. This allows cybercriminals to gain access to computer files containing personal data, financial information, or trade secrets. Other examples of ways in which personal data inadvertently ends up in the hands of others include:
- A business email sent to a wrong address;
- Business laptops and USB sticks that are stolen or lost;
- Discarded business computers, smartphones and tablets that are resold without being wiped clean.
Handling sensitive data
Many data breaches also arise because internal employees handle sensitive data carelessly. Or they are not aware that the information may be of interest to a third party. It is not possible to protect all information within your organisation. Make an inventory of sensitive information and handle it with care. Handling with care means, for example, not sharing the information with everyone in the organisation, and training the people who work with the data. When an employee is aware of the type of information they are working with and why it is important to handle it carefully, they are less likely to make mistakes or handle the data carelessly.
A data breach may also be a violation of the General Data Protection Regulation (GDPR). If it is, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) can impose a fine on your company or organisation.
Data breach notification obligation
If you have discovered a data breach, you must report this to the DPA within 72 hours. You must also notify the persons involved of any theft, loss, or abuse of personal data for which you are responsible. The GDPR demands that businesses register and file all data leaks. If you fail to notify a data breach in time, the DPA may impose a fine. Read more about the GDPR.
Preventing a data breach
Naturally, you do not want your sensitive, protected, or confidential company data to be exposed. Keep company information safe and prevent it from being viewed or made public. The greater the awareness and the stricter the measures, the better. That way, if equipment is stolen or lost, the risk of business loss or a data breach is reduced. Here are some tips for preventing a data breach:
Do not collect (sensitive) information that you do not need
Collecting names, dates of birth, medical or financial data is made easy by various systems. But do you really need this data? Take a good look at whether the information you collect and store is relevant to your work and business processes.
Delete (sensitive) data you no longer need
The use of various systems usually means that information is stored automatically. You may be storing much more sensitive data than you actually need for your work. Take a good look at whether personal data of former customers, payment dates, or login details from the past are useful to store.
Consciously grant access to sensitive data
If it is necessary to give certain employees access to sensitive data. Think this through carefully in advance. Keep track of which employee has access to which type of information and if they need it to do their work.
Limit the number of places where you store sensitive data
If you are dealing with sensitive data, secure it well and store it in as few places as possible. You reduce the risk of unconscious data leaks if you store such information centrally, grant employees selective access, and keep track of which information is available to whom. Do not forget to make regular backups and to keep systems up-to-date.
Even when employees are well trained, mistakes can happen. In addition to a tight security mindset, you can also use Data Loss Prevention (DLP) software. DLP software detects potential data breaches by monitoring, detecting, and blocking sensitive data. For example, when using DLP software, you can classify and manage critical information. Unauthorised end users cannot accidentally or with malicious intent access or share data with third parties.
Hard drive encryption
Encrypt all data on laptop hard drives. This makes it difficult for thieves to view or disclose the data.
Login using two-step verification or two-factor authentication (in Dutch). This means that in addition to a username and password, an extra step must be taken to log in successfully. For example a fingerprint. The second step can be based on a hardware or a software token. The latter can be done, for example, via a smartphone app.
Mobile Device Management
With Mobile Device Management, you can remotely block a mobile device and delete data if necessary. Depending on the type and brand of equipment, there are various options.
Set up a policy. Agree that data will not be stored locally on laptops and other devices. Try to enforce this technically as much as possible, by means of network and device policies. Use existing Secure Cloud Storage providers for data storage (with two-step verification login).
The use of other security measures (in Dutch), such as regular pen-testing of software, antivirus and malware protection, strong passwords, and patching, can also reduce the risk of a data breach. But to keep data breaches to a minimum, it is crucial that employees are constantly trained and aware of the risks in order to keep data breaches to a minimum.